I could follow method three couldn't I? I could remove Authenticated Users and add in my Helpdesk Staff Security Group into the DDC GPO Policy and then modify this default setting to enable them to add many computers to the domain.
Someone please check my logic here. Thanks http://support.microsoft.com/kb/251335/EN-US/ Method 3: Override the Default Limit of the Number of Computers an Authenticated User Can Join to a Domain You can override the default limit, using either of the following methods: * Use the Ldp (Ldp.exe) tool included in the Microsoft Windows 2000 Resource Kit. * Use an Active Directory Services Interface (ADSI) script to increase or decrease the value of the Active Directory ms-DS-MachineAccountQuota attribute. To do this:1. Install the Windows 2000 Support tools if they have not already been installed. To install these tools, run Setup.exe from the Support\Tools folder on the Windows 2000 Server or the Windows 2000 Professional CD-ROM. 2. Run Adsiedit.msc as an administrator of the domain. 3. Expand the Domain NC node. This node contains an object that begins with "DC=" and reflects the correct domain name. Right-click this object, and then click Properties. 4. In the Select which properties to view box, click Both. 5. In the Select a property to view box, click ms-DS-MachineAccountQuota. 6. In the Edit Attribute box, type a number. This number represents the number of workstations that you want users to be able to maintain concurrently. 7. Click Set, and then click OK. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, February 13, 2005 5:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Add Computer to Domain To delegate the permissions -> yes I would, however, consider removing authenticated users from the privilege "add workstations to domain" in the DDC GPO Greetz Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, February 11, 2005 16:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Add Computer to Domain So I would have to use the delegation wizard at the OU level to add workstations to the domain and ignore the user rights assignments at the DC Level? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, February 10, 2005 3:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Add Computer to Domain Justin, The "Add workstations to domain" user right (configured at DC level) by default assigns each authenticated user the right to add 10 computers (default configured quota for this) to the domain. Those computers will be placed in the COMPUTERS CONTAINER and the default owner is "Domain Admins". However users can be granted an unlimited number of computers they can add to the domain if the permission has been granted to those users on a certain OU, independently of the user right "add workststations to domain" has been granted or not. The owner of the latter objects will be the accounts that created them. Most of the time it is not acceptable that users add computers to the domain just like that. In the environment I created the design for, I removed authenticated users from the user right, created a global group and granted that global group permissions over a certain OU to created computer accounts. If I'm correct the computer accounts need to be created first and then you can join the computer to the domain (as with the join dialog box there is no possibility to specify an OU) and with tools (e.g. NETDOM) where you have the possibility to directly add a computer I presume it is possible to do this without first creating the computeraccount Cheers, Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 09, 2005 19:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Add Computer to Domain If I wanted to grant a group the rights to join computers to the domain should I configure the User Assignment setting of a GPO to do that and if so should I create that GPO on the OU I want them to join computers to or do I have to do it at the domain level or within the Domain Controllers Policy? Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
